chef 10.32.2 → 10.34.0

data/spec/data/mac_users/10.9.shadow.xml

@@ -0,0 +1,21 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+        <key>SALTED-SHA512-PBKDF2</key>
+        <dict>
+                <key>entropy</key>
+                <data>
+                EmAakNsXy/i6SAjmOC+w07nYpsGhkEd79oCrIa+2BlRnE25VzCCKb3QVbj2v
+                IPsTNp70t7r6BH2ANZ+0akikrczVSOuzOFGwk0fMqENBp/k6JxRzQ/ifuEP7
+                RsABfSZK+kl2uqz5QbkVvR7ByiTDCz51ngJAPgL1n+f/WTinY2w=
+                </data>
+                <key>iterations</key>
+                <integer>34482</integer>
+                <key>salt</key>
+                <data>
+                7pVL5HL9xg3fiUhHgUM5k2JfAGr27IEMCPSafkE5RqE=
+                </data>
+        </dict>
+</dict>
+</plist>

data/spec/functional/resource/user/dscl_spec.rb

@@ -0,0 +1,199 @@
+#
+# Copyright:: Copyright (c) 2014 Chef Software, Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require 'spec_helper'
+require 'chef/mixin/shell_out'
+require 'functional/resource/base'
+
+metadata = {
+  :unix_only => true,
+  :requires_root => true,
+  :provider => {:user => Chef::Provider::User::Dscl}
+}
+
+describe "Chef::Resource::User with Chef::Provider::User::Dscl provider", metadata do
+  include Chef::Mixin::ShellOut
+
+  def clean_user
+    begin
+      shell_out!("/usr/bin/dscl . -delete '/Users/#{username}'")
+    rescue Mixlib::ShellOut::ShellCommandFailed
+      # Raised when the user is already cleaned
+    end
+  end
+
+  def user_should_exist
+    shell_out("/usr/bin/dscl . -ls /Users").stdout.should include username
+  end
+
+  def check_password(pass)
+    # In order to test the password we use dscl passwd command since
+    # that's the only command that gets the user password from CLI.
+    shell_out("dscl . -passwd /Users/greatchef #{pass} new_password").exitstatus.should == 0
+    # Now reset the password back
+    shell_out("dscl . -passwd /Users/greatchef new_password #{pass}").exitstatus.should == 0
+  end
+
+  let(:node) do
+    n = Chef::Node.new
+    n.consume_external_attrs(ohai.data.dup, {})
+    n
+  end
+
+  let(:events) do
+    Chef::EventDispatch::Dispatcher.new
+  end
+
+  let(:run_context) do
+    Chef::RunContext.new(node, {}, events)
+  end
+
+  let(:username) do
+    "greatchef"
+  end
+
+  let(:uid) { nil }
+  let(:gid) { 20 }
+  let(:home) { nil }
+  let(:manage_home) { false }
+  let(:password) { "XXXYYYZZZ" }
+  let(:comment) { "Great Chef" }
+  let(:shell) { "/bin/bash" }
+  let(:salt) { nil }
+  let(:iterations) { nil }
+
+  let(:user_resource) do
+    r = Chef::Resource::User.new("TEST USER RESOURCE", run_context)
+    r.username(username)
+    r.uid(uid)
+    r.gid(gid)
+    r.home(home)
+    r.shell(shell)
+    r.comment(comment)
+    r.manage_home(manage_home)
+    r.password(password)
+    r.salt(salt)
+    r.iterations(iterations)
+    r
+  end
+
+  before do
+    clean_user
+  end
+
+  after(:each) do
+    clean_user
+  end
+
+  describe "action :create" do
+    it "should create the user" do
+      user_resource.run_action(:create)
+      user_should_exist
+      check_password(password)
+    end
+  end
+
+  describe "when user exists" do
+    before do
+      existing_resource = user_resource.dup
+      existing_resource.run_action(:create)
+      user_should_exist
+    end
+
+    describe "when password is updated" do
+      it "should update the password of the user" do
+        user_resource.password("mykitchen")
+        user_resource.run_action(:create)
+        check_password("mykitchen")
+      end
+    end
+  end
+
+  describe "when password is being set via shadow hash" do
+    let(:password) {
+      if node[:platform_version].start_with?("10.7.")
+        # On Mac 10.7 we only need to set the password
+        "c9b3bd1a0cde797eef0eff16c580dab996ba3a21961cccc\
+d0f5e65c61558243e50b1a490088bd4824e3b35562d383ca02260398\
+ef1979b302212ec1c5383d1d05fc8d843"
+      else
+        "c734b6e4787c3727bb35e29fdd92b97c\
+1de12df509577a045728255ec7c6c5f5\
+c18efa05ed02b682ffa7ebc05119900e\
+b1d4880833aa7a190afc13e2bf0936b8\
+20123e8c98f0f9bcac2a629d9163caac\
+9464a8c234f3919082400b4f939bb77b\
+c5adbbac718b7eb99463a7b679571e0f\
+1c9fef2ef08d0b9e9c2bcf644eed2ffc"
+      end
+    }
+
+    let(:iterations) { 25000 }
+    let(:salt) { "9e2e7d5ee473b496fd24cf0bbfcaedfcb291ee21740e570d1e917e874f8788ca" }
+
+    it "action :create should create the user" do
+      user_resource.run_action(:create)
+      user_should_exist
+      check_password("soawesome")
+    end
+
+    describe "when user exists" do
+      before do
+        existing_resource = user_resource.dup
+        existing_resource.run_action(:create)
+        user_should_exist
+      end
+
+      describe "when password is updated" do
+        it "should update the password of the user" do
+          user_resource.password("mykitchen")
+          user_resource.run_action(:create)
+          check_password("mykitchen")
+        end
+      end
+    end
+  end
+
+  describe "when a user is member of some groups" do
+    let(:groups) { ["staff", "operator"] }
+
+    before do
+      existing_resource = user_resource.dup
+      existing_resource.run_action(:create)
+
+      groups.each do |group|
+        shell_out!("/usr/bin/dscl . -append '/Groups/#{group}' GroupMembership #{username}")
+      end
+    end
+
+    after do
+      groups.each do |group|
+        # Do not raise an error when user is correctly removed
+        shell_out("/usr/bin/dscl . -delete '/Groups/#{group}' GroupMembership #{username}")
+      end
+    end
+
+    it ":remove action removes the user from the groups and deletes the user"do
+      user_resource.run_action(:remove)
+      groups.each do |group|
+        # Do not raise an error when group is empty
+        shell_out("dscl . read /Groups/staff GroupMembership").stdout.should_not include(group)
+      end
+    end
+  end
+
+end

data/spec/spec_helper.rb

@@ -51,6 +51,13 @@ require 'spec/support/local_gems.rb' if File.exists?(File.join(File.dirname(__FI
 # Explicitly require spec helpers that need to load first
 require 'spec/support/platform_helpers'
 
+
+OHAI_SYSTEM = Ohai::System.new
+OHAI_SYSTEM.require_plugin("os")
+OHAI_SYSTEM.require_plugin("platform")
+TEST_PLATFORM = OHAI_SYSTEM["platform"].dup.freeze
+TEST_PLATFORM_VERSION = OHAI_SYSTEM["platform_version"].dup.freeze
+
 # Autoloads support files
 # Excludes support/platforms by default
 # Do not change the gsub.
@@ -81,6 +88,22 @@ RSpec.configure do |config|
   config.filter_run_excluding :requires_unprivileged_user => true if ENV['USER'] == 'root'
   config.filter_run_excluding :uses_diff => true unless has_diff?
 
+  # Functional Resource tests that are provider-specific:
+  # context "on platforms that use useradd", :provider => {:user => Chef::Provider::User::Useradd}} do #...
+  config.filter_run_excluding :provider => lambda {|criteria|
+    type, target_provider = criteria.first
+
+    platform = TEST_PLATFORM.dup
+    platform_version = TEST_PLATFORM_VERSION.dup
+
+    begin
+      provider_for_running_platform = Chef::Platform.find_provider(platform, platform_version, type)
+      provider_for_running_platform != target_provider
+    rescue ArgumentError # no provider for platform
+      true
+    end
+  }
+
   config.run_all_when_everything_filtered = true
   config.treat_symbols_as_metadata_keys_with_true_values = true
 end

data/spec/unit/client_spec.rb

@@ -92,7 +92,7 @@ shared_examples_for Chef::Client do
       Chef::REST.should_receive(:new).with(Chef::Config[:client_url], Chef::Config[:validation_client_name], Chef::Config[:validation_key]).exactly(1).and_return(mock_chef_rest_for_client)
       mock_chef_rest_for_client.should_receive(:register).with(@fqdn, Chef::Config[:client_key]).exactly(1).and_return(true)
       #   Client.register will then turn around create another
-      
+
       #   Chef::REST object, this time with the client key it got from the
       #   previous step.
       Chef::REST.should_receive(:new).with(Chef::Config[:chef_server_url], @fqdn, Chef::Config[:client_key]).exactly(1).and_return(mock_chef_rest_for_node)
@@ -150,7 +150,7 @@ shared_examples_for Chef::Client do
           block.call
         end
       end
-      
+
       # This is what we're testing.
       @client.run
 
@@ -159,7 +159,7 @@ shared_examples_for Chef::Client do
         @node.automatic_attrs[:platform_version].should == "example-platform-1.0"
       end
     end
-    
+
     describe "when notifying other objects of the status of the chef run" do
       before do
         Chef::Client.clear_notifications
@@ -232,6 +232,25 @@ shared_examples_for Chef::Client do
     end
   end
 
+  describe "should set single lettered environments correctly" do
+    before do
+      @original_env = Chef::Config[:environment]
+    end
+
+    after do
+      Chef::Config[:environment] = @original_env
+    end
+
+    it "should set the environment correctly" do
+      @node.chef_environment.should == "_default"
+      Chef::Config[:environment] = "A"
+
+      @client.build_node
+      
+      @node.chef_environment.should == "A"
+    end
+  end
+
   describe "when a run list override is provided" do
     before do
       @node = Chef::Node.new(@hostname)
@@ -264,7 +283,7 @@ shared_examples_for Chef::Client do
       @node.should_receive(:save).and_return(nil)
 
       @client.build_node
-      
+
       @node[:roles].should_not be_nil
       @node[:roles].should eql(['test_role'])
       @node[:recipes].should eql(['cookbook1'])

data/spec/unit/provider/group/dscl_spec.rb

@@ -293,3 +293,38 @@ describe Chef::Provider::Group::Dscl do
     end
   end
 end
+
+describe 'Test DSCL loading' do
+  before do
+    @node = Chef::Node.new
+    @events = Chef::EventDispatch::Dispatcher.new
+    @run_context = Chef::RunContext.new(@node, {}, @events)
+    @new_resource = Chef::Resource::Group.new("aj")
+    @provider = Chef::Provider::Group::Dscl.new(@new_resource, @run_context)
+    @output = <<-EOF
+AppleMetaNodeLocation: /Local/Default
+Comment:
+ Test Group
+GeneratedUID: AAAAAAAA-AAAA-AAAA-AAAA-AAAAAAAAAAAA
+NestedGroups: AAAAAAAA-AAAA-AAAA-AAAA-AAAAAAAAAAAB
+Password: *
+PrimaryGroupID: 999
+RealName:
+ TestGroup
+RecordName: com.apple.aj
+RecordType: dsRecTypeStandard:Groups
+GroupMembership: waka bar
+EOF
+    @provider.stub(:safe_dscl).with("read /Groups/aj").and_return(@output)
+    @current_resource = @provider.load_current_resource
+  end
+
+  it 'should parse gid properly' do
+    File.stub(:exists?).and_return(true)
+    @current_resource.gid.should eq("999")
+  end
+  it 'should parse members properly' do
+    File.stub(:exists?).and_return(true)
+    @current_resource.members.should eq(['waka', 'bar'])
+  end
+end

data/spec/unit/provider/package/rpm_spec.rb

@@ -80,6 +80,18 @@ describe Chef::Provider::Package::Rpm do
       @provider.stub!(:popen4).and_return(status)
       lambda { @provider.run_action(:any) }.should raise_error(Chef::Exceptions::Package)
     end
+
+    it "should not detect the package name as version when not installed" do
+      @status = double("Status", :exitstatus => -1)
+      @stdout = StringIO.new("package openssh-askpass is not installed")
+      @new_resource = Chef::Resource::Package.new("openssh-askpass")
+      @new_resource.source 'openssh-askpass'
+      @provider = Chef::Provider::Package::Rpm.new(@new_resource, @run_context)
+      @provider.should_receive(:popen4).with("rpm -qp --queryformat '%{NAME} %{VERSION}-%{RELEASE}\n' openssh-askpass").and_yield(@pid, @stdin, @stdout, @stderr).and_return(@status)
+      @provider.should_receive(:popen4).with("rpm -q --queryformat '%{NAME} %{VERSION}-%{RELEASE}\n' openssh-askpass").and_return(@status)
+      @provider.load_current_resource
+      @provider.current_resource.version.should be_nil
+    end
   end
   
   describe "after the current resource is loaded" do

data/spec/unit/provider/service/macosx_spec.rb

@@ -58,6 +58,43 @@ XML
       let!(:current_resource) { Chef::Resource::Service.new(service_name) }
 
       describe "#load_current_resource" do
+
+        # CHEF-5223 "you can't glob for a file that hasn't been converged
+        # onto the node yet."
+        context "when the plist doesn't exist" do
+
+          def run_resource_setup_for_action(action)
+            new_resource.action(action)
+            provider.action = action
+            provider.load_current_resource
+            provider.define_resource_requirements
+            provider.process_resource_requirements
+          end
+
+          before do
+            Dir.stub(:glob).and_return([])
+            provider.stub(:shell_out!).
+                     with(/plutil -convert xml1 -o/).
+                     and_raise(Mixlib::ShellOut::ShellCommandFailed)
+          end
+
+          it "works for action :nothing" do
+            lambda { run_resource_setup_for_action(:nothing) }.should_not raise_error
+          end
+
+          it "works for action :start" do
+            lambda { run_resource_setup_for_action(:start) }.should_not raise_error
+          end
+
+          it "errors if action is :enable" do
+            lambda { run_resource_setup_for_action(:enable) }.should raise_error(Chef::Exceptions::Service)
+          end
+
+          it "errors if action is :disable" do
+            lambda { run_resource_setup_for_action(:disable) }.should raise_error(Chef::Exceptions::Service)
+          end
+        end
+
         context "when launchctl returns pid in service list" do
           let(:launchctl_stdout) { StringIO.new <<-SVC_LIST }
 12761 - 0x100114220.old.machinit.thing

data/spec/unit/provider/user/dscl_spec.rb

@@ -6,9 +6,9 @@
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
-# 
+#
 #     http://www.apache.org/licenses/LICENSE-2.0
-# 
+#
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -20,435 +20,856 @@ ShellCmdResult = Struct.new(:stdout, :stderr, :exitstatus)
 
 require 'spec_helper'
 require 'ostruct'
+require 'mixlib/shellout'
 
 describe Chef::Provider::User::Dscl do
-  before do
-    @node = Chef::Node.new
-    @events = Chef::EventDispatch::Dispatcher.new
-    @run_context = Chef::RunContext.new(@node, {}, @events)
-    @new_resource = Chef::Resource::User.new("toor")
-    @provider = Chef::Provider::User::Dscl.new(@new_resource, @run_context)
-  end
-  
+  let(:node) {
+    node = Chef::Node.new
+    node.stub(:[]).with(:platform_version).and_return(mac_version)
+    node.stub(:[]).with(:platform).and_return("mac_os_x")
+    node
+  }
+
+  let(:events) {
+    Chef::EventDispatch::Dispatcher.new
+  }
+
+  let(:run_context) {
+    Chef::RunContext.new(node, {}, events)
+  }
+
+  let(:new_resource) {
+    r = Chef::Resource::User.new("toor")
+    r.password(password)
+    r.salt(salt)
+    r.iterations(iterations)
+    r
+  }
+
+  let(:provider) {
+    Chef::Provider::User::Dscl.new(new_resource, run_context)
+  }
+
+  let(:mac_version) {
+    "10.9.1"
+  }
+
+  let(:password) { nil }
+  let(:salt) { nil }
+  let(:iterations) { nil }
+
+  let(:salted_sha512_password) {
+    "0f543f021c63255e64e121a3585601b8ecfedf6d2\
+705ddac69e682a33db5dbcdb9b56a2520bc8fff63a\
+2ba6b7984c0737ff0b7949455071581f7affcd536d\
+402b6cdb097"
+  }
+
+  let(:salted_sha512_pbkdf2_password) {
+    "c734b6e4787c3727bb35e29fdd92b97c\
+1de12df509577a045728255ec7c6c5f5\
+c18efa05ed02b682ffa7ebc05119900e\
+b1d4880833aa7a190afc13e2bf0936b8\
+20123e8c98f0f9bcac2a629d9163caac\
+9464a8c234f3919082400b4f939bb77b\
+c5adbbac718b7eb99463a7b679571e0f\
+1c9fef2ef08d0b9e9c2bcf644eed2ffc"
+  }
+
+  let(:salted_sha512_pbkdf2_salt) {
+    "2d942d8364a9ccf2b8e5cb7ed1ff58f78\
+e29dbfee7f9db58859144d061fd0058"
+  }
+
+  let(:salted_sha512_pbkdf2_iterations) {
+    25000
+  }
+
+  let(:vagrant_sha_512) {
+    "6f75d7190441facc34291ebbea1fc756b242d4f\
+e9bcff141bccb84f1979e27e539539aa31f9f7dcc92c0cea959\
+ea18e18b720e358e7fbe3cfbeaa561456f6ba008937a30"
+  }
+
+  let(:vagrant_sha_512_pbkdf2) {
+    "12601a90db17cbf\
+8ba4808e6382fb0d3b9d8a6c1a190477bf680ab21afb\
+6065467136e55cc208a6f74156e3daf20fb13369ef4b\
+7bafa047d80359fb46a48a4adccd548ebb33851b093\
+47cca84341a7f93a27147343f89fb843fb46c0017d2\
+64afa4976baacf941b915bd1ec1ca24c30b3e759e02\
+403e02f59fe7ff5938a7636c"
+  }
+
+  let(:vagrant_sha_512_pbkdf2_salt) {
+    "ee954be472fdc60ddf89484781433993625f006af6ec810c08f49a7e413946a1"
+  }
+
+  let(:vagrant_sha_512_pbkdf2_iterations) {
+    34482
+  }
+
   describe "when shelling out to dscl" do
     it "should run dscl with the supplied cmd /Path args" do
       shell_return = ShellCmdResult.new('stdout', 'err', 0)
-      @provider.should_receive(:shell_out).with("dscl . -cmd /Path args").and_return(shell_return)
-      @provider.safe_dscl("cmd /Path args").should == 'stdout'
+      provider.should_receive(:shell_out).with("dscl . -cmd /Path args").and_return(shell_return)
+      provider.run_dscl("cmd /Path args").should == 'stdout'
     end
 
     it "returns an empty string from delete commands" do
       shell_return = ShellCmdResult.new('out', 'err', 23)
-      @provider.should_receive(:shell_out).with("dscl . -delete /Path args").and_return(shell_return)
-      @provider.safe_dscl("delete /Path args").should == ""
+      provider.should_receive(:shell_out).with("dscl . -delete /Path args").and_return(shell_return)
+      provider.run_dscl("delete /Path args").should == ""
     end
 
     it "should raise an exception for any other command" do
       shell_return = ShellCmdResult.new('out', 'err', 23)
-      @provider.should_receive(:shell_out).with('dscl . -cmd /Path arguments').and_return(shell_return)
-      lambda { @provider.safe_dscl("cmd /Path arguments") }.should raise_error(Chef::Exceptions::DsclCommandFailed)
+      provider.should_receive(:shell_out).with('dscl . -cmd /Path arguments').and_return(shell_return)
+      lambda { provider.run_dscl("cmd /Path arguments") }.should raise_error(Chef::Exceptions::DsclCommandFailed)
     end
 
     it "raises an exception when dscl reports 'no such key'" do
       shell_return = ShellCmdResult.new("No such key: ", 'err', 23)
-      @provider.should_receive(:shell_out).with('dscl . -cmd /Path args').and_return(shell_return)
-      lambda { @provider.safe_dscl("cmd /Path args") }.should raise_error(Chef::Exceptions::DsclCommandFailed)
+      provider.should_receive(:shell_out).with('dscl . -cmd /Path args').and_return(shell_return)
+      lambda { provider.run_dscl("cmd /Path args") }.should raise_error(Chef::Exceptions::DsclCommandFailed)
+    end
+
+    it "raises an exception when dscl reports 'eDSRecordNotFound'" do
+      shell_return = ShellCmdResult.new("<dscl_cmd> DS Error: -14136 (eDSRecordNotFound)", 'err', -14136)
+      provider.should_receive(:shell_out).with('dscl . -cmd /Path args').and_return(shell_return)
+      lambda { provider.run_dscl("cmd /Path args") }.should raise_error(Chef::Exceptions::DsclCommandFailed)
     end
   end
 
   describe "get_free_uid" do
     before do
-      @provider.stub!(:safe_dscl).and_return("\nwheel      200\nstaff      201\n")
+      provider.should_receive(:run_dscl).with("list /Users uid").and_return("\nwheel      200\nstaff      201\nbrahms      500\nchopin      501\n")
     end
-  
-    it "should run safe_dscl with list /Users uid" do
-      @provider.should_receive(:safe_dscl).with("list /Users uid")
-      @provider.get_free_uid
+
+    describe "when resource is configured as system" do
+      before do
+        new_resource.system(true)
+      end
+
+      it "should return the first unused uid number on or above 500" do
+        provider.get_free_uid.should eq(202)
+      end
     end
 
     it "should return the first unused uid number on or above 200" do
-      @provider.get_free_uid.should == 202
+      provider.get_free_uid.should eq(502)
     end
-  
+
     it "should raise an exception when the search limit is exhausted" do
       search_limit = 1
-      lambda { @provider.get_free_uid(search_limit) }.should raise_error(RuntimeError)
+      lambda { provider.get_free_uid(search_limit) }.should raise_error(RuntimeError)
     end
   end
 
   describe "uid_used?" do
-    before do
-      @provider.stub!(:safe_dscl).and_return("\naj      500\n")
+    it "should return false if not given any valid uid number" do
+      provider.uid_used?(nil).should be_false
     end
 
-    it "should run safe_dscl with list /Users uid" do
-      @provider.should_receive(:safe_dscl).with("list /Users uid")
-      @provider.uid_used?(500)
-    end
-  
-    it "should return true for a used uid number" do
-      @provider.uid_used?(500).should be_true
-    end
+    describe "when called with a user id" do
+      before do
+        provider.should_receive(:run_dscl).with("list /Users uid").and_return("\naj      500\n")
+      end
 
-    it "should return false for an unused uid number" do
-      @provider.uid_used?(501).should be_false
-    end
+      it "should return true for a used uid number" do
+        provider.uid_used?(500).should be_true
+      end
 
-    it "should return false if not given any valid uid number" do
-      @provider.uid_used?(nil).should be_false
+      it "should return false for an unused uid number" do
+        provider.uid_used?(501).should be_false
+      end
     end
   end
 
   describe "when determining the uid to set" do
     it "raises RequestedUIDUnavailable if the requested uid is already in use" do
-      @provider.stub!(:uid_used?).and_return(true)
-      @provider.should_receive(:get_free_uid).and_return(501)
-      lambda { @provider.set_uid }.should raise_error(Chef::Exceptions::RequestedUIDUnavailable)
+      provider.stub(:uid_used?).and_return(true)
+      provider.should_receive(:get_free_uid).and_return(501)
+      lambda { provider.dscl_set_uid }.should raise_error(Chef::Exceptions::RequestedUIDUnavailable)
     end
-  
+
     it "finds a valid, unused uid when none is specified" do
-      @provider.should_receive(:safe_dscl).with("list /Users uid").and_return('')
-      @provider.should_receive(:safe_dscl).with("create /Users/toor UniqueID 501")
-      @provider.should_receive(:get_free_uid).and_return(501)
-      @provider.set_uid
-      @new_resource.uid.should == 501
+      provider.should_receive(:run_dscl).with("list /Users uid").and_return('')
+      provider.should_receive(:run_dscl).with("create /Users/toor UniqueID 501")
+      provider.should_receive(:get_free_uid).and_return(501)
+      provider.dscl_set_uid
+      new_resource.uid.should eq(501)
     end
-  
+
     it "sets the uid specified in the resource" do
-      @new_resource.uid(1000)
-      @provider.should_receive(:safe_dscl).with("create /Users/toor UniqueID 1000").and_return(true)
-      @provider.should_receive(:safe_dscl).with("list /Users uid").and_return('')
-      @provider.set_uid
+      new_resource.uid(1000)
+      provider.should_receive(:run_dscl).with("create /Users/toor UniqueID 1000").and_return(true)
+      provider.should_receive(:run_dscl).with("list /Users uid").and_return('')
+      provider.dscl_set_uid
     end
   end
 
   describe "when modifying the home directory" do
+    let(:current_resource) {
+      new_resource.dup
+    }
+
     before do
-      @new_resource.supports({ :manage_home => true })
-      @new_resource.home('/Users/toor')
-      
-      @current_resource = @new_resource.dup
-      @provider.current_resource = @current_resource
+      new_resource.supports({ :manage_home => true })
+      new_resource.home('/Users/toor')
+
+      provider.current_resource = current_resource
     end
 
     it "deletes the home directory when resource#home is nil" do
-      @new_resource.instance_variable_set(:@home, nil)
-      @provider.should_receive(:safe_dscl).with("delete /Users/toor NFSHomeDirectory").and_return(true)
-      @provider.modify_home
+      new_resource.instance_variable_set(:@home, nil)
+      provider.should_receive(:run_dscl).with("delete /Users/toor NFSHomeDirectory").and_return(true)
+      provider.dscl_set_home
     end
-  
+
 
     it "raises InvalidHomeDirectory when the resource's home directory doesn't look right" do
-      @new_resource.home('epic-fail')
-      lambda { @provider.modify_home }.should raise_error(Chef::Exceptions::InvalidHomeDirectory)
+      new_resource.home('epic-fail')
+      lambda { provider.dscl_set_home }.should raise_error(Chef::Exceptions::InvalidHomeDirectory)
     end
 
     it "moves the users home to the new location if it exists and the target location is different" do
-      @new_resource.supports(:manage_home => true)
-      
+      new_resource.supports(:manage_home => true)
+
       current_home = CHEF_SPEC_DATA + '/old_home_dir'
       current_home_files = [current_home + '/my-dot-emacs', current_home + '/my-dot-vim']
-      @current_resource.home(current_home)
-      @new_resource.gid(23)
-      ::File.stub!(:exists?).with('/old/home/toor').and_return(true)
-      ::File.stub!(:exists?).with('/Users/toor').and_return(true)
-    
+      current_resource.home(current_home)
+      new_resource.gid(23)
+      ::File.stub(:exists?).with('/old/home/toor').and_return(true)
+      ::File.stub(:exists?).with('/Users/toor').and_return(true)
+
       FileUtils.should_receive(:mkdir_p).with('/Users/toor').and_return(true)
       FileUtils.should_receive(:rmdir).with(current_home)
       ::Dir.should_receive(:glob).with("#{CHEF_SPEC_DATA}/old_home_dir/*",::File::FNM_DOTMATCH).and_return(current_home_files)
       FileUtils.should_receive(:mv).with(current_home_files, "/Users/toor", :force => true)
       FileUtils.should_receive(:chown_R).with('toor','23','/Users/toor')
-      
-      @provider.should_receive(:safe_dscl).with("create /Users/toor NFSHomeDirectory '/Users/toor'")
-      @provider.modify_home
+
+      provider.should_receive(:run_dscl).with("create /Users/toor NFSHomeDirectory '/Users/toor'")
+      provider.dscl_set_home
     end
 
     it "should raise an exception when the systems user template dir (skel) cannot be found" do
-      ::File.stub!(:exists?).and_return(false,false,false)
-      lambda { @provider.modify_home }.should raise_error(Chef::Exceptions::User)
+      ::File.stub(:exists?).and_return(false,false,false)
+      lambda { provider.dscl_set_home }.should raise_error(Chef::Exceptions::User)
     end
 
     it "should run ditto to copy any missing files from skel to the new home dir" do
       ::File.should_receive(:exists?).with("/System/Library/User\ Template/English.lproj").and_return(true)
       FileUtils.should_receive(:chown_R).with('toor', '', '/Users/toor')
-      @provider.should_receive(:shell_out!).with("ditto '/System/Library/User Template/English.lproj' '/Users/toor'")
-      @provider.ditto_home
+      provider.should_receive(:shell_out!).with("ditto '/System/Library/User Template/English.lproj' '/Users/toor'")
+      provider.ditto_home
     end
 
     it "creates the user's NFSHomeDirectory and home directory" do
-      @provider.should_receive(:safe_dscl).with("create /Users/toor NFSHomeDirectory '/Users/toor'").and_return(true)
-      @provider.should_receive(:ditto_home)
-      @provider.modify_home
+      provider.should_receive(:run_dscl).with("create /Users/toor NFSHomeDirectory '/Users/toor'").and_return(true)
+      provider.should_receive(:ditto_home)
+      provider.dscl_set_home
     end
   end
 
-  describe "osx_shadow_hash?" do
-    it "should return true when the string is a shadow hash" do
-      @provider.osx_shadow_hash?("0"*8*155).should eql(true)
-    end
+  describe "resource_requirements" do
+    let(:dscl_exists) { true }
+    let(:plutil_exists) { true }
 
-    it "should return false otherwise" do
-      @provider.osx_shadow_hash?("any other string").should eql(false)
+    before do
+      ::File.stub(:exists?).with("/usr/bin/dscl").and_return(dscl_exists)
+      ::File.stub(:exists?).with("/usr/bin/plutil").and_return(plutil_exists)
     end
-  end
 
-  describe "when detecting the format of a password" do
-    it "detects a OS X salted sha1" do
-      @provider.osx_salted_sha1?("0"*48).should eql(true)
-      @provider.osx_salted_sha1?("any other string").should eql(false)
+    def run_requirements
+      provider.define_resource_requirements
+      provider.action = :create
+      provider.process_resource_requirements
     end
-  end
 
-  describe "guid" do
-    it "should run safe_dscl with read /Users/user GeneratedUID to get the users GUID" do
-      expected_uuid = "b398449e-cee0-45e0-80f8-b0b5b1bfdeaa"
-      @provider.should_receive(:safe_dscl).with("read /Users/toor GeneratedUID").and_return(expected_uuid + "\n")
-      @provider.guid.should == expected_uuid
+    describe "when dscl doesn't exist" do
+      let(:dscl_exists) { false }
+
+      it "should raise an error" do
+        lambda { run_requirements }.should raise_error
+      end
     end
-  end
 
-  describe "shadow_hash_set?" do
+    describe "when plutil doesn't exist" do
+      let(:plutil_exists) { false }
 
-    it "should run safe_dscl with read /Users/user to see if the AuthenticationAuthority key exists" do
-      @provider.should_receive(:safe_dscl).with("read /Users/toor")
-      @provider.shadow_hash_set?
+      it "should raise an error" do
+        lambda { run_requirements }.should raise_error
+      end
     end
 
-    describe "when the user account has an AuthenticationAuthority key" do
-      it "uses the shadow hash when there is a ShadowHash field in the AuthenticationAuthority key" do
-        @provider.should_receive(:safe_dscl).with("read /Users/toor").and_return("\nAuthenticationAuthority: ;ShadowHash;\n")
-        @provider.shadow_hash_set?.should be_true
+    describe "when on Mac 10.6" do
+      let(:mac_version) {
+        "10.6.5"
+      }
+
+      it "should raise an error" do
+        lambda { run_requirements }.should raise_error
       end
+    end
+
+    describe "when on Mac 10.7" do
+      let(:mac_version) {
+        "10.7.5"
+      }
 
-      it "does not use the shadow hash when there is no ShadowHash field in the AuthenticationAuthority key" do
-        @provider.should_receive(:safe_dscl).with("read /Users/toor").and_return("\nAuthenticationAuthority: \n")
-        @provider.shadow_hash_set?.should be_false
+      describe "when password is SALTED-SHA512" do
+        let(:password) { salted_sha512_password }
+
+        it "should not raise an error" do
+          lambda { run_requirements }.should_not raise_error
+        end
       end
 
+      describe "when password is SALTED-SHA512-PBKDF2" do
+        let(:password) { salted_sha512_pbkdf2_password }
+
+        it "should raise an error" do
+          lambda { run_requirements }.should raise_error
+        end
+      end
     end
 
-    describe "with no AuthenticationAuthority key in the user account" do
-      it "does not use the shadow hash" do
-        @provider.should_receive(:safe_dscl).with("read /Users/toor").and_return("")
-        @provider.shadow_hash_set?.should eql(false)
+    [ "10.9", "10.10"].each do |version|
+      describe "when on Mac #{version}" do
+        let(:mac_version) {
+          "#{version}.2"
+        }
+
+        describe "when password is SALTED-SHA512" do
+          let(:password) { salted_sha512_password }
+
+          it "should raise an error" do
+            lambda { run_requirements }.should raise_error
+          end
+        end
+
+        describe "when password is SALTED-SHA512-PBKDF2" do
+          let(:password) { salted_sha512_pbkdf2_password }
+
+          describe "when salt and iteration is not set" do
+            it "should raise an error" do
+              lambda { run_requirements }.should raise_error
+            end
+          end
+
+          describe "when salt and iteration is set" do
+            let(:salt) { salted_sha512_pbkdf2_salt }
+            let(:iterations) { salted_sha512_pbkdf2_iterations }
+
+            it "should not raise an error" do
+              lambda { run_requirements }.should_not raise_error
+            end
+          end
+        end
       end
     end
   end
 
-  describe "when setting or modifying the user password" do
+  describe "load_current_resource" do
+    # set this to any of the user plist files under spec/data
+    let(:user_plist_file) { nil }
+
     before do
-      @new_resource.password("password")
-      @output = StringIO.new
+      provider.should_receive(:shell_out).with("plutil -convert xml1 -o - /var/db/dslocal/nodes/Default/users/toor.plist") do
+        if user_plist_file.nil?
+          ShellCmdResult.new('Can not find the file', 'Sorry!!', 1)
+        else
+          ShellCmdResult.new(File.read(File.join(CHEF_SPEC_DATA, "mac_users/#{user_plist_file}.plist.xml")), "", 0)
+        end
+      end
+
+      if !user_plist_file.nil?
+        provider.should_receive(:convert_binary_plist_to_xml).and_return(File.read(File.join(CHEF_SPEC_DATA, "mac_users/#{user_plist_file}.shadow.xml")))
+      end
     end
 
-    describe "when using a salted sha1 for the password" do
-      before do
-        @new_resource.password("F"*48)
-      end
-    
-      it "should write a shadow hash file with the expected salted sha1" do
-        uuid = "B398449E-CEE0-45E0-80F8-B0B5B1BFDEAA"
-        File.should_receive(:open).with('/var/db/shadow/hash/B398449E-CEE0-45E0-80F8-B0B5B1BFDEAA', "w", 384).and_yield(@output)
-        @provider.should_receive(:safe_dscl).with("read /Users/toor GeneratedUID").and_return(uuid)
-        @provider.should_receive(:safe_dscl).with("read /Users/toor").and_return("\nAuthenticationAuthority: ;ShadowHash;\n")
-        expected_salted_sha1 = @new_resource.password
-        expected_shadow_hash = "00000000"*155
-        expected_shadow_hash[168] = expected_salted_sha1
-        @provider.modify_password
-        @output.string.strip.should == expected_shadow_hash
-      end    
-    end
-
-    describe "when given a shadow hash file for the password" do
-      it "should write the shadow hash file directly to /var/db/shadow/hash/GUID" do
-        shadow_hash = '0123456789ABCDE0123456789ABCDEF' * 40
-        raise 'oops' unless shadow_hash.size == 1240
-        @new_resource.password shadow_hash
-        uuid = "B398449E-CEE0-45E0-80F8-B0B5B1BFDEAA"
-        File.should_receive(:open).with('/var/db/shadow/hash/B398449E-CEE0-45E0-80F8-B0B5B1BFDEAA', "w", 384).and_yield(@output)
-        @provider.should_receive(:safe_dscl).with("read /Users/toor GeneratedUID").and_return(uuid)
-        @provider.should_receive(:safe_dscl).with("read /Users/toor").and_return("\nAuthenticationAuthority: ;ShadowHash;\n")
-        @provider.modify_password
-        @output.string.strip.should == shadow_hash
-      end
-    end
-
-    describe "when given a string for the password" do
-      it "should output a salted sha1 and shadow hash file from the specified password" do
-        uuid = "B398449E-CEE0-45E0-80F8-B0B5B1BFDEAA"
-        File.should_receive(:open).with('/var/db/shadow/hash/B398449E-CEE0-45E0-80F8-B0B5B1BFDEAA', "w", 384).and_yield(@output)
-        @new_resource.password("password")
-        OpenSSL::Random.stub!(:random_bytes).and_return("\377\377\377\377\377\377\377\377")
-        expected_salted_sha1 = "F"*8+"SHA1-"*8
-        expected_shadow_hash = "00000000"*155
-        expected_shadow_hash[168] = expected_salted_sha1
-        @provider.should_receive(:safe_dscl).with("read /Users/toor GeneratedUID").and_return(uuid)
-        @provider.should_receive(:safe_dscl).with("read /Users/toor").and_return("\nAuthenticationAuthority: ;ShadowHash;\n")
-        @provider.modify_password
-        @output.string.strip.should match(/^0{168}(FFFFFFFF1C1AA7935D4E1190AFEC92343F31F7671FBF126D)0{1071}$/)
-      end    
-    end
-
-    it "should write the output directly to the shadow hash file at /var/db/shadow/hash/GUID" do
-      shadow_file = StringIO.new
-      uuid = "B398449E-CEE0-45E0-80F8-B0B5B1BFDEAA"
-      File.should_receive(:open).with("/var/db/shadow/hash/B398449E-CEE0-45E0-80F8-B0B5B1BFDEAA",'w',0600).and_yield(shadow_file)
-      @provider.should_receive(:safe_dscl).with("read /Users/toor GeneratedUID").and_return(uuid)
-      @provider.should_receive(:safe_dscl).with("read /Users/toor").and_return("\nAuthenticationAuthority: ;ShadowHash;\n")
-      @provider.modify_password
-      shadow_file.string.should match(/^0{168}[0-9A-F]{48}0{1071}$/)
-    end
-
-    it "should run safe_dscl append /Users/user AuthenticationAuthority ;ShadowHash; when no shadow hash set" do
-      shadow_file = StringIO.new
-      uuid = "B398449E-CEE0-45E0-80F8-B0B5B1BFDEAA"
-      File.should_receive(:open).with("/var/db/shadow/hash/B398449E-CEE0-45E0-80F8-B0B5B1BFDEAA",'w',0600).and_yield(shadow_file)
-      @provider.should_receive(:safe_dscl).with("read /Users/toor GeneratedUID").and_return(uuid)
-      @provider.should_receive(:safe_dscl).with("read /Users/toor").and_return("\nAuthenticationAuthority:\n")
-      @provider.should_receive(:safe_dscl).with("append /Users/toor AuthenticationAuthority ';ShadowHash;'")
-      @provider.modify_password
-      shadow_file.string.should match(/^0{168}[0-9A-F]{48}0{1071}$/)
+    describe "when user is not there" do
+      it "shouldn't raise an error" do
+        lambda { provider.load_current_resource }.should_not raise_error
+      end
+
+      it "should set @user_exists" do
+        provider.load_current_resource
+        provider.instance_variable_get(:@user_exists).should be_false
+      end
+
+      it "should set username" do
+        provider.load_current_resource
+        provider.current_resource.username.should eq("toor")
+      end
+    end
+
+    describe "when user is there" do
+      let(:password) { "something" } # Load password during load_current_resource
+
+      describe "on 10.7" do
+        let(:mac_version) {
+          "10.7.5"
+        }
+
+        let(:user_plist_file) { "10.7" }
+
+        it "collects the user data correctly" do
+          provider.load_current_resource
+          provider.current_resource.comment.should eq("vagrant")
+          provider.current_resource.uid.should eq("11112222-3333-4444-AAAA-BBBBCCCCDDDD")
+          provider.current_resource.gid.should eq("80")
+          provider.current_resource.home.should eq("/Users/vagrant")
+          provider.current_resource.shell.should eq("/bin/bash")
+          provider.current_resource.password.should eq(vagrant_sha_512)
+        end
+
+        describe "when a plain password is set that is same" do
+          let(:password) { "vagrant" }
+
+          it "diverged_password? should report false" do
+            provider.load_current_resource
+            provider.diverged_password?.should be_false
+          end
+        end
+
+        describe "when a plain password is set that is different" do
+          let(:password) { "not_vagrant" }
+
+          it "diverged_password? should report true" do
+            provider.load_current_resource
+            provider.diverged_password?.should be_true
+          end
+        end
+
+        describe "when iterations change" do
+          let(:password) { vagrant_sha_512 }
+          let(:iterations) { 12345 }
+
+          it "diverged_password? should report false" do
+            provider.load_current_resource
+            provider.diverged_password?.should be_false
+          end
+        end
+
+        describe "when shadow hash changes" do
+          let(:password) { salted_sha512_password }
+
+          it "diverged_password? should report true" do
+            provider.load_current_resource
+            provider.diverged_password?.should be_true
+          end
+        end
+
+        describe "when salt change" do
+          let(:password) { vagrant_sha_512 }
+          let(:salt) { "SOMETHINGRANDOM" }
+
+          it "diverged_password? should report false" do
+            provider.load_current_resource
+            provider.diverged_password?.should be_false
+          end
+        end
+      end
+
+      describe "on 10.8" do
+        let(:mac_version) {
+          "10.8.3"
+        }
+
+        let(:user_plist_file) { "10.8" }
+
+        it "collects the user data correctly" do
+          provider.load_current_resource
+          provider.current_resource.comment.should eq("vagrant")
+          provider.current_resource.uid.should eq("11112222-3333-4444-AAAA-BBBBCCCCDDDD")
+          provider.current_resource.gid.should eq("80")
+          provider.current_resource.home.should eq("/Users/vagrant")
+          provider.current_resource.shell.should eq("/bin/bash")
+          provider.current_resource.password.should eq("ea4c2d265d801ba0ec0dfccd\
+253dfc1de91cbe0806b4acc1ed7fe22aebcf6beb5344d0f442e590\
+ffa04d679075da3afb119e41b72b5eaf08ee4aa54693722646d5\
+19ee04843deb8a3e977428d33f625e83887913e5c13b70035961\
+5e00ad7bc3e7a0c98afc3e19d1360272454f8d33a9214d2fbe8b\
+e68d1f9821b26689312366")
+          provider.current_resource.salt.should eq("f994ef2f73b7c5594ebd1553300976b20733ce0e24d659783d87f3d81cbbb6a9")
+          provider.current_resource.iterations.should eq(39840)
+        end
+      end
+
+      describe "on 10.7 upgraded to 10.8" do
+        # In this scenario user password is still in 10.7 format
+        let(:mac_version) {
+          "10.8.3"
+        }
+
+        let(:user_plist_file) { "10.7-8" }
+
+        it "collects the user data correctly" do
+          provider.load_current_resource
+          provider.current_resource.comment.should eq("vagrant")
+          provider.current_resource.uid.should eq("11112222-3333-4444-AAAA-BBBBCCCCDDDD")
+          provider.current_resource.gid.should eq("80")
+          provider.current_resource.home.should eq("/Users/vagrant")
+          provider.current_resource.shell.should eq("/bin/bash")
+          provider.current_resource.password.should eq("6f75d7190441facc34291ebbea1fc756b242d4f\
+e9bcff141bccb84f1979e27e539539aa31f9f7dcc92c0cea959\
+ea18e18b720e358e7fbe3cfbeaa561456f6ba008937a30")
+        end
+
+        describe "when a plain text password is set" do
+          it "reports password needs to be updated" do
+            provider.load_current_resource
+            provider.diverged_password?.should be_true
+          end
+        end
+
+        describe "when a salted-sha512-pbkdf2 shadow is set" do
+          let(:password) { salted_sha512_pbkdf2_password }
+          let(:salt) { salted_sha512_pbkdf2_salt }
+          let(:iterations) { salted_sha512_pbkdf2_iterations }
+
+          it "reports password needs to be updated" do
+            provider.load_current_resource
+            provider.diverged_password?.should be_true
+          end
+        end
+      end
+
+      describe "on 10.9" do
+        let(:mac_version) {
+          "10.9.1"
+        }
+
+        let(:user_plist_file) { "10.9" }
+
+        it "collects the user data correctly" do
+          provider.load_current_resource
+          provider.current_resource.comment.should eq("vagrant")
+          provider.current_resource.uid.should eq("11112222-3333-4444-AAAA-BBBBCCCCDDDD")
+          provider.current_resource.gid.should eq("80")
+          provider.current_resource.home.should eq("/Users/vagrant")
+          provider.current_resource.shell.should eq("/bin/bash")
+          provider.current_resource.password.should eq(vagrant_sha_512_pbkdf2)
+          provider.current_resource.salt.should eq(vagrant_sha_512_pbkdf2_salt)
+          provider.current_resource.iterations.should eq(vagrant_sha_512_pbkdf2_iterations)
+        end
+
+        describe "when a plain password is set that is same" do
+          let(:password) { "vagrant" }
+
+          it "diverged_password? should report false" do
+            provider.load_current_resource
+            provider.diverged_password?.should be_false
+          end
+        end
+
+        describe "when a plain password is set that is different" do
+          let(:password) { "not_vagrant" }
+
+          it "diverged_password? should report true" do
+            provider.load_current_resource
+            provider.diverged_password?.should be_true
+          end
+        end
+
+        describe "when iterations change" do
+          let(:password) { vagrant_sha_512_pbkdf2 }
+          let(:salt) { vagrant_sha_512_pbkdf2_salt }
+          let(:iterations) { 12345 }
+
+          it "diverged_password? should report true" do
+            provider.load_current_resource
+            provider.diverged_password?.should be_true
+          end
+        end
+
+        describe "when shadow hash changes" do
+          let(:password) { salted_sha512_pbkdf2_password }
+          let(:salt) { vagrant_sha_512_pbkdf2_salt }
+          let(:iterations) { vagrant_sha_512_pbkdf2_iterations }
+
+          it "diverged_password? should report true" do
+            provider.load_current_resource
+            provider.diverged_password?.should be_true
+          end
+        end
+
+        describe "when salt change" do
+          let(:password) { vagrant_sha_512_pbkdf2 }
+          let(:salt) { salted_sha512_pbkdf2_salt }
+          let(:iterations) { vagrant_sha_512_pbkdf2_iterations }
+
+          it "diverged_password? should report true" do
+            provider.load_current_resource
+            provider.diverged_password?.should be_true
+          end
+        end
+      end
     end
   end
 
-  describe "load_current_resource" do
-    it "should raise an error if the required binary /usr/bin/dscl doesn't exist" do
-      ::File.should_receive(:exists?).with("/usr/bin/dscl").and_return(false)
-      lambda { @provider.load_current_resource }.should raise_error(Chef::Exceptions::User)
+  describe "salted_sha512_pbkdf2?" do
+    it "should return true when the string is a salted_sha512_pbkdf2 hash" do
+      provider.salted_sha512_pbkdf2?(salted_sha512_pbkdf2_password).should be_true
     end
 
-    it "shouldn't raise an error if /usr/bin/dscl exists" do
-      ::File.stub!(:exists?).and_return(true)
-      lambda { @provider.load_current_resource }.should_not raise_error(Chef::Exceptions::User)
+    it "should return false otherwise" do
+      provider.salted_sha512_pbkdf2?(salted_sha512_password).should be_false
+      provider.salted_sha512_pbkdf2?("any other string").should be_false
     end
   end
 
-  describe "when the user does not yet exist and chef is creating it" do
-    before do
-      @new_resource.comment "#mockssuck"
-      @new_resource.gid 1001
+  describe "salted_sha512?" do
+    it "should return true when the string is a salted_sha512_pbkdf2 hash" do
+      provider.salted_sha512_pbkdf2?(salted_sha512_pbkdf2_password).should be_true
+    end
+
+    it "should return false otherwise" do
+      provider.salted_sha512?(salted_sha512_pbkdf2_password).should be_false
+      provider.salted_sha512?("any other string").should be_false
     end
-    
-    it "creates the user, comment field, sets uid, gid, configures the home directory, sets the shell, and sets the password" do
-      @provider.should_receive :dscl_create_user
-      @provider.should_receive :dscl_create_comment
-      @provider.should_receive :set_uid
-      @provider.should_receive :dscl_set_gid
-      @provider.should_receive :modify_home
-      @provider.should_receive :dscl_set_shell
-      @provider.should_receive :modify_password
-      @provider.create_user
+  end
+
+  describe "prepare_password_shadow_info" do
+    describe "when on Mac 10.7" do
+      let(:mac_version) {
+        "10.7.1"
+      }
+
+      describe "when the password is plain text" do
+        let(:password) { "vagrant" }
+
+        it "password_shadow_info should have salted-sha-512 format" do
+          shadow_info = provider.prepare_password_shadow_info
+          shadow_info.should have_key("SALTED-SHA512")
+          info = shadow_info["SALTED-SHA512"].string.unpack('H*').first
+          provider.salted_sha512?(info).should be_true
+        end
+      end
+
+      describe "when the password is salted-sha-512" do
+        let(:password) { vagrant_sha_512 }
+
+        it "password_shadow_info should have salted-sha-512 format" do
+          shadow_info = provider.prepare_password_shadow_info
+          shadow_info.should have_key("SALTED-SHA512")
+          info = shadow_info["SALTED-SHA512"].string.unpack('H*').first
+          provider.salted_sha512?(info).should be_true
+          info.should eq(vagrant_sha_512)
+        end
+      end
     end
 
-    it "creates the user and sets the comment field" do
-      @provider.should_receive(:safe_dscl).with("create /Users/toor").and_return(true)
-      @provider.dscl_create_user
+    ["10.8", "10.9", "10.10"].each do |version|
+      describe "when on Mac #{version}" do
+        let(:mac_version) {
+          "#{version}.1"
+        }
+
+        describe "when the password is plain text" do
+          let(:password) { "vagrant" }
+
+          it "password_shadow_info should have salted-sha-512 format" do
+            shadow_info = provider.prepare_password_shadow_info
+            shadow_info.should have_key("SALTED-SHA512-PBKDF2")
+            shadow_info["SALTED-SHA512-PBKDF2"].should have_key("entropy")
+            shadow_info["SALTED-SHA512-PBKDF2"].should have_key("salt")
+            shadow_info["SALTED-SHA512-PBKDF2"].should have_key("iterations")
+            info = shadow_info["SALTED-SHA512-PBKDF2"]["entropy"].string.unpack('H*').first
+            provider.salted_sha512_pbkdf2?(info).should be_true
+          end
+        end
+
+        describe "when the password is salted-sha-512" do
+          let(:password) { vagrant_sha_512_pbkdf2 }
+          let(:iterations) { vagrant_sha_512_pbkdf2_iterations }
+          let(:salt) { vagrant_sha_512_pbkdf2_salt }
+
+          it "password_shadow_info should have salted-sha-512 format" do
+            shadow_info = provider.prepare_password_shadow_info
+            shadow_info.should have_key("SALTED-SHA512-PBKDF2")
+            shadow_info["SALTED-SHA512-PBKDF2"].should have_key("entropy")
+            shadow_info["SALTED-SHA512-PBKDF2"].should have_key("salt")
+            shadow_info["SALTED-SHA512-PBKDF2"].should have_key("iterations")
+            info = shadow_info["SALTED-SHA512-PBKDF2"]["entropy"].string.unpack('H*').first
+            provider.salted_sha512_pbkdf2?(info).should be_true
+            info.should eq(vagrant_sha_512_pbkdf2)
+          end
+        end
+      end
     end
-    
-    it "sets the comment field" do
-      @provider.should_receive(:safe_dscl).with("create /Users/toor RealName '#mockssuck'").and_return(true)
-      @provider.dscl_create_comment
+  end
+
+  describe "set_password" do
+    before do
+      new_resource.password("something")
     end
 
-    it "should run safe_dscl with create /Users/user PrimaryGroupID to set the users primary group" do
-      @provider.should_receive(:safe_dscl).with("create /Users/toor PrimaryGroupID '1001'").and_return(true)
-      @provider.dscl_set_gid
+    it "should sleep and flush the dscl cache before saving the password" do
+      provider.should_receive(:prepare_password_shadow_info).and_return({ })
+      mock_shellout = double("Mock::Shellout")
+      mock_shellout.stub(:run_command)
+      Mixlib::ShellOut.should_receive(:new).and_return(mock_shellout)
+      provider.should_receive(:read_user_info)
+      provider.should_receive(:dscl_set)
+      provider.should_receive(:sleep).with(3)
+      provider.should_receive(:shell_out).with("dscacheutil '-flushcache'")
+      provider.should_receive(:save_user_info)
+      provider.set_password
     end
+  end
+
+  describe "when the user does not yet exist and chef is creating it" do
+    context "with a numeric gid" do
+      before do
+        new_resource.comment "#mockssuck"
+        new_resource.gid 1001
+      end
+
+      it "creates the user, comment field, sets uid, gid, configures the home directory, sets the shell, and sets the password" do
+        provider.should_receive :dscl_create_user
+        provider.should_receive :dscl_create_comment
+        provider.should_receive :dscl_set_uid
+        provider.should_receive :dscl_set_gid
+        provider.should_receive :dscl_set_home
+        provider.should_receive :dscl_set_shell
+        provider.should_receive :set_password
+        provider.create_user
+      end
+
+      it "creates the user and sets the comment field" do
+        provider.should_receive(:run_dscl).with("create /Users/toor").and_return(true)
+        provider.dscl_create_user
+      end
+
+      it "sets the comment field" do
+        provider.should_receive(:run_dscl).with("create /Users/toor RealName '#mockssuck'").and_return(true)
+        provider.dscl_create_comment
+      end
+
+      it "should run run_dscl with create /Users/user PrimaryGroupID to set the users primary group" do
+        provider.should_receive(:run_dscl).with("create /Users/toor PrimaryGroupID '1001'").and_return(true)
+        provider.dscl_set_gid
+      end
 
-    it "should run safe_dscl with create /Users/user UserShell to set the users login shell" do
-      @provider.should_receive(:safe_dscl).with("create /Users/toor UserShell '/usr/bin/false'").and_return(true)
-      @provider.dscl_set_shell
+      it "should run run_dscl with create /Users/user UserShell to set the users login shell" do
+        provider.should_receive(:run_dscl).with("create /Users/toor UserShell '/usr/bin/false'").and_return(true)
+        provider.dscl_set_shell
+      end
     end
 
+    context "with a non-numeric gid" do
+      before do
+        new_resource.comment "#mockssuck"
+        new_resource.gid "newgroup"
+      end
+
+      it "should map the group name to a numeric ID when the group exists" do
+        provider.should_receive(:run_dscl).with("read /Groups/newgroup PrimaryGroupID").ordered.and_return("PrimaryGroupID: 1001\n")
+        provider.should_receive(:run_dscl).with("create /Users/toor PrimaryGroupID '1001'").ordered.and_return(true)
+        provider.dscl_set_gid
+      end
+
+      it "should raise an exception when the group does not exist" do
+        shell_return = ShellCmdResult.new("<dscl_cmd> DS Error: -14136 (eDSRecordNotFound)", 'err', -14136)
+        provider.should_receive(:shell_out).with('dscl . -read /Groups/newgroup PrimaryGroupID').and_return(shell_return)
+        lambda { provider.dscl_set_gid }.should raise_error(Chef::Exceptions::GroupIDNotFound)
+      end
+    end
   end
 
   describe "when the user exists and chef is managing it" do
     before do
-      @current_resource = @new_resource.dup
-      @provider.current_resource = @current_resource
-      
-      # These are all different from @current_resource
-      @new_resource.username "mud"
-      @new_resource.uid 2342
-      @new_resource.gid 2342
-      @new_resource.home '/Users/death'
-      @new_resource.password 'goaway'
-    end
-    
+      current_resource = new_resource.dup
+      provider.current_resource = current_resource
+
+      # These are all different from current_resource
+      new_resource.username "mud"
+      new_resource.uid 2342
+      new_resource.gid 2342
+      new_resource.home '/Users/death'
+      new_resource.password 'goaway'
+    end
+
     it "sets the user, comment field, uid, gid, moves the home directory, sets the shell, and sets the password" do
-      @provider.should_receive :dscl_create_user
-      @provider.should_receive :dscl_create_comment
-      @provider.should_receive :set_uid
-      @provider.should_receive :dscl_set_gid
-      @provider.should_receive :modify_home
-      @provider.should_receive :dscl_set_shell
-      @provider.should_receive :modify_password
-      @provider.create_user
+      provider.should_receive :dscl_create_user
+      provider.should_receive :dscl_create_comment
+      provider.should_receive :dscl_set_uid
+      provider.should_receive :dscl_set_gid
+      provider.should_receive :dscl_set_home
+      provider.should_receive :dscl_set_shell
+      provider.should_receive :set_password
+      provider.create_user
     end
   end
 
   describe "when changing the gid" do
     before do
-      @current_resource = @new_resource.dup
-      @provider.current_resource = @current_resource
-      
-      # This is different from @current_resource
-      @new_resource.gid 2342
+      current_resource = new_resource.dup
+      provider.current_resource = current_resource
+
+      # This is different from current_resource
+      new_resource.gid 2342
     end
-    
+
     it "sets the gid" do
-      @provider.should_receive :dscl_set_gid
-      @provider.manage_user
+      provider.should_receive :dscl_set_gid
+      provider.manage_user
     end
   end
 
-  describe "when the user exists and chef is removing it" do
-    it "removes the user's home directory when the resource is configured to manage home" do
-      @new_resource.supports({ :manage_home => true })
-      @provider.should_receive(:safe_dscl).with("read /Users/toor").and_return("NFSHomeDirectory: /Users/fuuuuuuuuuuuuu")
-      @provider.should_receive(:safe_dscl).with("delete /Users/toor")
-      FileUtils.should_receive(:rm_rf).with("/Users/fuuuuuuuuuuuuu")
-      @provider.remove_user
-    end
-    
-    it "removes the user from any group memberships" do
-      Etc.stub(:group).and_yield(OpenStruct.new(:name => 'ragefisters', :mem => 'toor'))
-      @provider.should_receive(:safe_dscl).with("delete /Users/toor")
-      @provider.should_receive(:safe_dscl).with("delete /Groups/ragefisters GroupMembership 'toor'")
-      @provider.remove_user
+  describe "when the user exists" do
+    before do
+      provider.should_receive(:shell_out).with("plutil -convert xml1 -o - /var/db/dslocal/nodes/Default/users/toor.plist") do
+        ShellCmdResult.new(File.read(File.join(CHEF_SPEC_DATA, "mac_users/10.9.plist.xml")), "", 0)
+      end
+      provider.load_current_resource
+    end
+
+    describe "when Chef is removing the user" do
+      it "removes the user from the groups and deletes home directory when the resource is configured to manage home" do
+        new_resource.supports({ :manage_home => true })
+        provider.should_receive(:run_dscl).with("list /Groups").and_return("my_group\nyour_group\nreal_group\n")
+        provider.should_receive(:run_dscl).with("read /Groups/my_group").and_raise(Chef::Exceptions::DsclCommandFailed) # Empty group
+        provider.should_receive(:run_dscl).with("read /Groups/your_group").and_return("GroupMembership: not_you")
+        provider.should_receive(:run_dscl).with("read /Groups/real_group").and_return("GroupMembership: toor")
+        provider.should_receive(:run_dscl).with("delete /Groups/real_group GroupMembership 'toor'")
+        provider.should_receive(:run_dscl).with("delete /Users/toor")
+        FileUtils.should_receive(:rm_rf).with("/Users/vagrant")
+        provider.remove_user
+      end
     end
-  end
 
-  describe "when discovering if a user is locked" do
-
-    it "determines the user is not locked when dscl shows an AuthenticationAuthority without a DisabledUser field" do
-      @provider.should_receive(:safe_dscl).with("read /Users/toor")
-      @provider.should_not be_locked
+    describe "when user is not locked" do
+      it "determines the user as not locked" do
+        provider.should_not be_locked
+      end
     end
 
-    it "determines the user is locked when dscl shows an AuthenticationAuthority with a DisabledUser field" do
-      @provider.should_receive(:safe_dscl).with('read /Users/toor').and_return("\nAuthenticationAuthority: ;DisabledUser;\n")
-      @provider.should be_locked
-    end
+    describe "when user is locked" do
+      before do
+        auth_authority = provider.instance_variable_get(:@authentication_authority)
+        provider.instance_variable_set(:@authentication_authority, auth_authority + ";DisabledUser;")
+      end
+
+      it "determines the user as not locked" do
+        provider.should be_locked
+      end
 
-    it "determines the user is not locked when dscl shows no AuthenticationAuthority" do
-      @provider.should_receive(:safe_dscl).with('read /Users/toor').and_return("\n")
-      @provider.should_not be_locked
+      it "can unlock the user" do
+        provider.should_receive(:run_dscl).with("create /Users/toor AuthenticationAuthority ';ShadowHash;HASHLIST:<SALTED-SHA512-PBKDF2>'")
+        provider.unlock_user
+      end
     end
   end
 
   describe "when locking the user" do
-    it "should run safe_dscl with append /Users/user AuthenticationAuthority ;DisabledUser; to lock the user account" do
-      @provider.should_receive(:safe_dscl).with("append /Users/toor AuthenticationAuthority ';DisabledUser;'")
-      @provider.lock_user
+    it "should run run_dscl with append /Users/user AuthenticationAuthority ;DisabledUser; to lock the user account" do
+      provider.should_receive(:run_dscl).with("append /Users/toor AuthenticationAuthority ';DisabledUser;'")
+      provider.lock_user
     end
   end
 
-  describe "when unlocking the user" do
-    it "removes DisabledUser from the authentication string" do
-      @provider.should_receive(:safe_dscl).with("read /Users/toor AuthenticationAuthority").and_return("\nAuthenticationAuthority: ;ShadowHash; ;DisabledUser;\n")
-      @provider.should_receive(:safe_dscl).with("create /Users/toor AuthenticationAuthority ';ShadowHash;'")
-      @provider.unlock_user
-    end
-  end
 end